Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 9: Internet and Network Forensics and Intrusion Detection.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 9: Internet and Network Forensics and Intrusion Detection."— Presentation transcript:

1 Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 9: Internet and Network Forensics and Intrusion Detection

2 © Pearson Education Computer Forensics: Principles and Practices 2 Objectives Explain the operation of intrusion detection systems (IDSs) Discuss the value of using a network forensic analysis toolkit (NFAT) Identify the components of an NFAT

3 © Pearson Education Computer Forensics: Principles and Practices 3 Objectives (Cont.) List the different areas from which data can be extracted Understand how to use an NFAT to capture physical and logical network data Identify the most common NFAT systems

4 © Pearson Education Computer Forensics: Principles and Practices 4 Introduction Network forensic analysis has been around for some time. Intrusion detection systems (IDSs) work hand in hand with network forensic analysis toolkits (NFAT) and are addressed in this chapter. Limitations, both legal and technical, are also discussed.

5 © Pearson Education Computer Forensics: Principles and Practices 5 Intrusion Detection Systems Development of IDSs was the first attempt to address increasing numbers of network attacks An IDS looks for anomalies that differ from an established baseline IDSs categorized as  Signature-based  Anomaly-based

6 © Pearson Education Computer Forensics: Principles and Practices 6 Intrusion Detection Systems (Cont.) Common IDS solutions available today:  Cisco Secure IDS  Enterasys™ Dragon ®  Elm 3.0  GFI LANguard S.E.L.M  Intrust Event Admin  Snort ®  Tripwire  eTrust ®

7 © Pearson Education Computer Forensics: Principles and Practices 7 Reactive and Active Systems An IDS is a reactive security system  Can tell you someone has broken in and where, but cannot record how burglary is taking place  Cannot gather forensic evidence admissible in court of law For more active sensing, an NFAT system is required NFATs enable an investigator to replay, isolate, and scrutinize an intrusion

8 © Pearson Education Computer Forensics: Principles and Practices 8 Reactive and Active Systems (Cont.) NFAT developers faced a number of challenges:  Lack of infrastructure for forensic data collection, storage, and dissemination  Rapid growth in network traffic  Labor-intensive forensics processes that span multiple administrative domains  Current logging mechanisms that prevented forensic analysts from exploring networks incrementally

9 © Pearson Education Computer Forensics: Principles and Practices 9 Real-Time NFAT Analysis An NFAT should be able to:  Forensically capture complete and correct e- evidence  Keep up with ever-increasing network speeds  Store captured e-evidence for long periods of time for extended investigations  Keep the e-evidence secure to preserve the integrity of collected e-evidence

10 © Pearson Education Computer Forensics: Principles and Practices 10 Real-Time NFAT Analysis (Cont.) The newest NFAT systems show an entire network in GUI format Real-time means being able to counter an attack while it is taking place Military refers to this as “cyberwarfare” Example systems:  Carnivore  eTrust

11 © Pearson Education Computer Forensics: Principles and Practices 11 Inside Threats A company’s worst enemy could be inside the network Employees have access to sensitive proprietary information that needs to be secured

12 © Pearson Education Computer Forensics: Principles and Practices 12 FYI: FBI’s Carnivore— a Network Forensics Tool Carnivore was an Internet packet sniffer designed to capture e-mail messages and reconstruct Web pages Ability to capture such data without a warrant raised civil liberties issues

13 © Pearson Education Computer Forensics: Principles and Practices 13 Real-Time NFAT Analysis (Cont.) Newer NFAT systems now allow the user to take an image of a host computer connected to a network without the knowledge of the user This capability can save incident response hours but raises ethical questions

14 © Pearson Education Computer Forensics: Principles and Practices 14 Network Forensics Abuse With an NFAT system anyone can:  Spy on users’ e-mail  Capture passwords  Know what Web pages were viewed  Covertly see the contents of a customer’s shopping cart

15 © Pearson Education Computer Forensics: Principles and Practices 15 Components of an NFAT System Common components include:  Agents—software modules used to monitor, retrieve, or intercept network data  Server—centralized computer or computers that hold the data collected from the network  Examiner computer—computer where the forensic/security examiner does the analysis of data

16 © Pearson Education Computer Forensics: Principles and Practices 16 Using an NFAT to Capture Data Catch it as you can  This method captures everything coming across the network  Typically not used as a proactive method Stop, look, and listen  Filtering method  Processor speed and buffer memory size are critical  Analysis is done in real-time

17 © Pearson Education Computer Forensics: Principles and Practices 17 Data Sources on a Network Host computers—a major source of forensic data Firewalls—basic logging enabled to document failed or denied connections  Firewalls categorized according to functions Network layer firewall—acts like an IP filter Application layer firewall—works at the application layer to permit or deny packets Proxy firewall—acts as a mediator between internal hosts/applications and external connections

18 © Pearson Education Computer Forensics: Principles and Practices 18 Data Sources on a Network (Cont.) DHCP servers—dynamically assign IP ad- dresses when computers connect to network NFAT/IDS agents—collect information from host in response to NFAT/IDS server request IDS/network monitoring software—monitors network system performance to create baselines Packet sniffers—collect data straight from network media; also are protocol analyzers

19 © Pearson Education Computer Forensics: Principles and Practices 19 In Practice: Detecting Credit Card Fraud Credit card fraud in 2003 identified a company that provided electronic payment software to retail outlets Criminals gained access to data contained in magnetic stripe of credit cards Investigators found a backdoor and keystroke logger Investigators set a trap using packet sniffer, dummy files, and Tripwire

20 © Pearson Education Computer Forensics: Principles and Practices 20 Physical Aspects of Capturing Data Devices used to collect information:  Switch port analyzer (SPAN)  Test access port (TAP)  Host inline device  Hubs  Wireless access points (WAPs)

21 © Pearson Education Computer Forensics: Principles and Practices 21 Logical Aspects of Capturing Data Agents  Small programs located on a network host that allow the NFAT server to view, copy, or modify a host remotely  Agent file is usually disguised to avoid detection Logs  NFAT software can accept input from almost any device that generates a log file  NFATs can sift through millions of log entries to extract important data

22 © Pearson Education Computer Forensics: Principles and Practices 22 Logical Aspects of Capturing Data (Cont.) Network data  Collected through sniffers and stored for later analysis  Data may be in raw format or in fields that can be queried  NFAT software usually contains a query language such as SQL to extract information

23 © Pearson Education Computer Forensics: Principles and Practices 23 Examining Data Verifying the integrity of the data  There are guidelines that can help ensure the integrity of network data: Logs Time/date stamps IDS alerts Database integrity

24 © Pearson Education Computer Forensics: Principles and Practices 24 Examining Data (Cont.) Analyzing the data for attacks  NFATs can use real-time analysis to detect intrusions  Use forensic features of NFAT to image suspect hosts and store data for future analysis Pattern analysis  Uses baselines to determine what is normal for a system  Patterns in data traffic signal changes in network

25 © Pearson Education Computer Forensics: Principles and Practices 25 Examining Data (Cont.) Content analysis  Also known as deep packet inspection  Used for real-time analysis of content such as e- mail or text documents Timeline sequencing analysis  Used to construct an overview of events Playback analysis  Used to replay specific network communications  Can examine specific traffic while ignoring the rest

26 © Pearson Education Computer Forensics: Principles and Practices 26 NFAT Software Tools All applications discussed in this chapter offer the following features:  Real-time network data capture  Content analysis  Forensic knowledge base  Reporting

27 © Pearson Education Computer Forensics: Principles and Practices 27 NFAT Software Tools (Cont.) Computer Associates’ eTrust  GUI visualization  Pattern analysis  Incident playback  Communication sequencing

28 © Pearson Education Computer Forensics: Principles and Practices 28 NFAT Software Tools (Cont.) Guidance Software  EnCase ® forensic software includes IDS and network forensic capabilities  Software can also perform enterprise-wide keyword searches  Enterprise edition also creates audit trail to ensure proper chain of custody and track abuses

29 © Pearson Education Computer Forensics: Principles and Practices 29 NFAT Software Tools (Cont.) Paraben ® software  P2 ® Enterprise software preserves data integrity using encryption from agent to server and examiner’s station to server  P2 can record information coming across a network for real-time analysis or to review later  Can take a “snapshot” of a host machine and archive results

30 © Pearson Education Computer Forensics: Principles and Practices 30 Summary IDSs of the past are being tailored as the input systems for NFAT systems NFAT software can be used to overcome data integrity issues Several data sources are available in networks

31 © Pearson Education Computer Forensics: Principles and Practices 31 Summary (Cont.) NFAT systems utilize two different data collection methods  Catch it as you can  Stop, look, and listen Common NFAT systems were also discussed The area of network forensics is just beginning to mature to the point of acceptance of evidence in court

32 © Pearson Education Computer Forensics: Principles and Practices 32 Summary (Cont.) Only surface possibilities and uses of forensic software have been touched upon in this chapter Data collection is becoming easier for forensic purposes Technology is available to ease the burden of data collection

Download ppt "Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 9: Internet and Network Forensics and Intrusion Detection."

Similar presentations

Network Systems Sales LLC

Network Systems Sales LLC
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
eGovernance Under guidance of Dr. P.V. Kamesam IBM Research Lab New Delhi Ashish Gupta 3 rd Year B.Tech, Computer Science and Engg. IIT Delhi.

eGovernance Under guidance of Dr. P.V. Kamesam IBM Research Lab New Delhi Ashish Gupta 3 rd Year B.Tech, Computer Science and Engg. IIT Delhi.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
Security Guidelines and Management

Security Guidelines and Management
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
Forensic and Investigative Accounting

Forensic and Investigative Accounting

Similar presentations

Ads by Google